UK intelligence agency stores passwords in plain text

UK intelligence agency stores passwords in plain text

Summary: Just the other week, we heard that the Australian Tax Office was storing passwords in plain text. This time, it's one of the UK's intelligence agencies.

SHARE:

There are some government agencies that most would expect to have a fair grasp of security, even for those systems that are not core to their operations. That's what we thought with the Australian Tax Office's Publication Ordering System, but sadly, we were proven wrong.

University student Dan Farrall discovered that his UK government's communication headquarters (GCHQ) careers site has been sending back passwords in complete plain text. For those of us outside of the UK, GCHQ is one of Britain's intelligence agencies, dealing primarily with signals intelligence and charged with "safeguarding Britain's electronic communications and digital space".

It works with the nation's security services and secret intelligence services MI5 and MI6, and is thought of as the counterpart to the US National Security Agency or Australia's Defence Signals Directorate.

As Farrall pointed out on his blog, apart from the harm to its reputation, the sort of information that would be held within these systems would be significant.

We double-checked Farrall's claim and confirmed that the passwords were in fact being sent in plain text, and while we were at it, we started an application for a malware reverse engineer.

gchq
Password recovery email. (Image: Screenshot by Michael Lee/ZDNet)

Aside from the usual residential information, the applications required passport numbers, reasons for wanting to apply, the relevant skills for the position being applied to, education history, and qualifications.

I imagine that such information would be especially interesting to foreign nations that would like to narrow down and possibly turn tomorrow's government penetration testers, or tap those that work on discovering and patching vulnerabilities for the UK government.

Farrall claimed to have contacted GCHQ about the issue at the end of February, but received no response.

GCHQ responded to ZDNet's queries about the issue, stating that "the current applicant tracking system used by GCHQ is a legacy system" and that is already in the process of replacing it.

Although the main issue with plain text passwords lies with the entire username and password database being unprotected and accessible in the event of a breach, GCHQ appeared to believe that the problem was simply a matter of passwords being sent over email.

It told ZDNet that "only the very small percentage of applicants (who need their accounts reset) are sent a new password. This comes with clear instructions of how to protect their data."

From the email in the screenshot above, these clear instructions involve not writing down the password or giving it to anyone else.

Updated on 27 March, 2012 at 10.45am AEDST: Included response from GCHQ.

Topics: Security, Government UK, United Kingdom

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • To be fair

    Whatever your password recovery email is and regardless of whether the recovery involves an actual password (ie done through links instead), it's only ever going to be as secure as your email password/account is.

    Having said that, it could also be a tacit acceptance that "we don't care what your password is, we can always decrypt it", which is even more worrying.
    Pachanga-4184c
    • The problem...

      is that, if the passwords are properly hashed, so that they cannot be (easily) read, the system cannot send you an email with your existing password, it can only reset it for you and get you to enter another one.

      If security isn't done properly, they can send you your old password back. That is the problem here.

      Instead of a good, strong algorithm with a decent salt, they are storing the password in a form that means that it can easily be recovered, which is bad and something you learn not to do in security 101.
      wright_is
      • That seems about it to me

        Even my commerical operation goes about it this way - no emails with any password. We are too worried about being sued by cusomers more than any worry on the dta.
        Maybe GCHQ should have an economic reason for good practice to push them
        Anyhow - a civil servant doing a good job - now that would be a shocker!
        sonnet37
      • My point

        ...was that it doesn't really matter whether they send you the password or a link, someone with access to the email can click on the link just as easily as copy the password.

        What it really comes down to is the window of opportunity. Reset links usually have a timeout and become useless after that time.

        We don't really know how these recovery passwords are being used - they could also be of limited longevity - or whether you are forced to enter a new password in logon.

        If the recovery password has a limited lifetime, I don't really see the difference between that and a reset link.
        Pachanga-4184c
        • Not a 'recovery' password

          Just to clarify, the password that is sent back to the user is the password they used to sign up to the site. I just happened to use the "DP0....." password when signing up -- it was not assigned to me by their system.

          There is also no requirement to change your password once signed in (although I have since writing the article to prevent misuse).
          Michael Lee (Mukimu)